docs/design/auth-framework.rst

158 Authentication module to authenticate it, following the CoT from ROT to Image.
214    will have been extracted from the parent image i.e. BL31 content
269 The above functions return values from the enum ``crypto_ret_value``.
333 image. The IPM obtains the image format from the CoT and calls the right IPL to
352 parameters should be obtained from the parent image using the IPM.
500 extract the data corresponding to that parameter from an image. This data will
526    parameter should be extracted from an image.
531 #. Extract authentication parameters from a parent image in order to verify a
533    obtained from the parent image.
559 from an image. For example, the hash of a BL3x image in its corresponding
612 obtained from either the image itself or its parent image. The memory allocated
614 parameters which are obtained from the parent for verifying a child image need
631 For parameters that can be obtained from the child image itself, the IPM is
636 parameters that should be extracted from it and used to verify the next image
663    from the current image once it has been verified.
717 these identifiers can be obtained from ``include/common/tbbr/tbbr_img_def.h``.
740    is NULL, the authentication parameters will be obtained from the platform
747    will point to specific information required to extract that parameter from
755       from the parent image. The following parameter descriptors must be
758       -  ``data``: data to be hashed (obtained from current image)
759       -  ``hash``: reference hash (obtained from parent image)
762       the private key whose public part is extracted from the parent image (or
766       -  ``pk``: the public key (obtained from parent image)
767       -  ``sig``: the digital signature (obtained from current image)
768       -  ``alg``: the signature algorithm used (obtained from current image)
769       -  ``data``: the data to be signed (obtained from current image)
772    parameters must be extracted from an image once it has been authenticated.
778 extracted from the certificates. In the case of the TBBR CoT, these parameters
784 be used to extract the parameter data from the corresponding image.
929    is used to extract a public key from the parent image. If the cookie is an
930    OID, the key is extracted from the corresponding x509v3 extension. If the
932    the parent image is NULL, the public key is obtained from the platform
935    the signature from the certificate.
937    extract the signature algorithm from the certificate.
939    to extract the data to be signed from the certificate.
942 Trusted World public key needs to be extracted from the certificate. A new entry
946 descriptor is used to extract the public key from an x509v3 extension with OID
952 using the Trusted World public key obtained previously from the Trusted Key
960 using the BL31 public key obtained previously from the BL31 Key certificate.
967 with the hash obtained from the BL31 certificate. The image descriptor contains